CRLF injection vulnerability in the HTTPConnection.putheader() function
in urllib2 and urllib in CPython before 2.7.10 and 3.x before 3.4.4
allows remote attackers to inject arbitrary HTTP headers via CRLF sequences
in a URL.

Reported again in January 2016 by Timothy D. Morgan (Blindspot Security),
with a full disclosed at 2016-06-15.